0

I have a situation where the HTTP Authorization request header size is more than 64kb (approximately 90kb) for a particular user. The reason for large size is because the header contains a bearer token, and the user who has initiated the http request has lot of claims.

The problem is for this particular user the web server always returns an error stating:

"HTTP Error 400. The size of the request headers is too long".

The web application is self hosted in a console application using Microsoft owin, so iis is not involved.

While looking into the issue, I came across the following document. It denotes the maximum value for MaxFieldLength is 64kb which denotes the maximum header length handled by http.sys, and my server is set to the maximum value i,e 65,536.

I tried increasing the value further to 131,072 out of curiosity but as expected it did not solve the issue.

So is there any other way to increase the header maximum length?

Durga Prasad
  • 939
  • 10
  • 20
  • Does this answer your question? [Maximum on http header values?](https://stackoverflow.com/questions/686217/maximum-on-http-header-values) – शेखर Feb 10 '21 at 13:18
  • I am afraid it does not. The answer in the above question talks about no limit on header maximum size from http specification perspective. However in my case I have hit a maximum value of 64kb on a windows server and looking for a solution when header size is beyond that value – Durga Prasad Feb 10 '21 at 13:31
  • 64k is the documented maximum for http.sys, so you're going to have to use a different server. A quick google search seems to indicate that every major http server has a "small" default on the order of 8k or so. 90kb is grotesquely huge, so you're going to have to use a server that doesn't have a cap on the upper limit; perhaps give Apache a try. – Luke Feb 14 '21 at 10:34
  • Any exception logs to show where exactly it is being raised from? – Tarun Lalwani Feb 14 '21 at 13:34
  • Switching to a different server sounds like a good idea. However it is not feasible at this point of time because it is a well mature application in production for quite some time and there is lot of code base. – Durga Prasad Feb 15 '21 at 08:54
  • I will try to get hold of the logs. – Durga Prasad Feb 15 '21 at 08:56
  • 4
    It seems it is time to rethink your protocol. Maybe you can send the claims as a JSON in the request body instead of headers. It is even easier to manipulate. – Bob Feb 19 '21 at 08:45
  • JSON Web Tokens (JWT) supports token compression out of the box - https://jwt.io/ – WaitingForGuacamole Feb 19 '21 at 18:51
  • @DurgaPrasad, what O.S. hosts the Application? Windows Server? Linux? – Antonio Leonardo Feb 19 '21 at 20:10
  • Try to increase `MaxTokenSize` too https://learn.microsoft.com/en-US/troubleshoot/iis/http-bad-request-response-kerberos and https://learn.microsoft.com/en-US/troubleshoot/iis/http-bad-request-response-kerberos – ExploitFate Feb 21 '21 at 00:30
  • Try to follow this [StackOverflow Thread](https://stackoverflow.com/questions/30203596/mvc-6-openidconnect), and you can use these examples from [oficial aspnet GitHub](https://github.com/aspnet/Security/tree/5cf0564484cf5bb2a7a16e6485816d19287538e6/samples/CookieSessionSample). – Antonio Leonardo Feb 21 '21 at 14:52

2 Answers2

0

I encountered this and solved it by just increasing the limits set in registry. (open command and type regedit).

You were right to modify MaxFieldLength, however, you also have to modify MaxRequestBytes as it is stated in the documentation:

Workaround 2: Set MaxFieldLength and MaxRequestBytes registry entries:

By default, there is no MaxFieldLength registry entry. This entry specifies the maximum size limit of each HTTP request header. The MaxRequestBytes registry entry specifies the upper limit for the total size of the Request line and the headers. Typically, this registry entry is configured together with the MaxRequestBytes registry entry.

If the MaxRequestBytes value is lower than the MaxFieldLength value, the MaxFieldLength value is adjusted. In large Active Directory environments, users may experience logon failures if the values for both these entries aren't set to a sufficiently high value.

You will have to add/modify these entries in:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

For IIS 6.0 and later, the MaxFieldLength and MaxRequestBytes registry keys are located at the following sub key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

Antonin GAVREL
  • 9,682
  • 8
  • 54
  • 81
  • We have tried setting the parameters. The problem is token length is 90KB, which is beyond the maximum allowed value of 64KB for MaxFieldLength. By the way the MaxRequestBytes value is set to 16MB which is much higher than MaxFieldLength. – Durga Prasad Mar 12 '21 at 13:04
0

After realizing that there is no possible solution from http.sys server on increasing the size limit beyond the stated maximum, the following solution has been implemented to overcome the problem in hand.

Disclaimer: It is more of a workaround than a proper solution.

Create a new version (v2, because these are breaking changes) of existing controllers with following changes:

  • Convert every GET request into a POST request and pass any applicable query parameters as key value pairs in request body.
  • Add an additional key "access_token" in each request body with value of bearer token for handling authorization. Ignored for unprotected end points.
  • Update documentation and inform all the end users about the changes done with lucid examples.
  • Decorate old version with "Deprecated" tag.
Durga Prasad
  • 939
  • 10
  • 20